Skip to content

Revert "Remove old docs." #30773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mugen87 merged 1 commit into from
Mar 21, 2025
Merged

Revert "Remove old docs." #30773

Mugen87 merged 1 commit into from
Mar 21, 2025

Conversation

@Mugen87
Copy link
Collaborator

@Mugen87 Mugen87 commented Mar 21, 2025

Reverts #30748

@Mugen87 Mugen87 merged commit 03cedd8 into dev Mar 21, 2025
9 of 10 checks passed
@Mugen87 Mugen87 deleted the revert-30748-dev2 branch March 21, 2025 09:53
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 21, 2025
View reviewed changes
docs/index.html
const docType = hash.slice( 0, hash.indexOf( '/' ) + 1 );
let docLink = hash.slice( hash.indexOf( '/' ) + 1 );
docLink = docLink.slice( docLink.indexOf( '/' ) );
location.href = docType + language + docLink;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium documentation

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 10 months ago

To fix the problem, we need to ensure that the language variable is properly sanitized before it is used to construct the URL. This can be achieved by validating the language variable against a predefined set of allowed values. If the value is not in the allowed set, we should either reject it or default to a safe value.

  • Create a list of allowed language codes.
  • Validate the language variable against this list before using it to construct the URL.
  • If the language variable is not valid, default to a safe value or handle the error appropriately.
Suggested changeset 1
docs/index.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/docs/index.html b/docs/index.html
--- a/docs/index.html
+++ b/docs/index.html
@@ -117,5 +117,11 @@
 
+			const allowedLanguages = ['en', 'zh', 'fr', 'de', 'es']; // Add allowed language codes
+
 			function setLanguage( value ) {
 
-				language = value;
+				if (allowedLanguages.includes(value)) {
+					language = value;
+				} else {
+					language = 'en'; // Default to 'en' if the value is not valid
+				}
 
EOF
@@ -117,5 +117,11 @@

const allowedLanguages = ['en', 'zh', 'fr', 'de', 'es']; // Add allowed language codes

function setLanguage( value ) {

language = value;
if (allowedLanguages.includes(value)) {
language = value;
} else {
language = 'en'; // Default to 'en' if the value is not valid
}

Copilot is powered by AI and may make mistakes. Always verify output.
docs/index.html
if ( search ) {

const link = sectionLink.href.split( /[?#]/ )[ 0 ];
sectionLink.href = `${link}?q=${search}`;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium documentation

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 10 months ago

To fix the problem, we need to ensure that the user input is properly sanitized before being used to construct the URL. The best way to do this is to use a function that encodes the user input to make it safe for use in a URL. We can use the encodeURIComponent function to achieve this.

  • We will modify the updateFilter function to encode the user input before using it in the URL.
  • Specifically, we will change the line where the URL is constructed to use encodeURIComponent(v).
Suggested changeset 1
docs/index.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/docs/index.html b/docs/index.html
--- a/docs/index.html
+++ b/docs/index.html
@@ -372,3 +372,3 @@
 
-				window.history.replaceState( {}, '', '?q=' + v + window.location.hash );
+				window.history.replaceState( {}, '', '?q=' + encodeURIComponent(v) + window.location.hash );
 
@@ -420,3 +420,3 @@
 				const link = sectionLink.href.split( /[?#]/ )[ 0 ];
-				sectionLink.href = `${link}?q=${search}`;
+				sectionLink.href = `${link}?q=${encodeURIComponent(search)}`;
 
EOF
@@ -372,3 +372,3 @@

window.history.replaceState( {}, '', '?q=' + v + window.location.hash );
window.history.replaceState( {}, '', '?q=' + encodeURIComponent(v) + window.location.hash );

@@ -420,3 +420,3 @@
const link = sectionLink.href.split( /[?#]/ )[ 0 ];
sectionLink.href = `${link}?q=${search}`;
sectionLink.href = `${link}?q=${encodeURIComponent(search)}`;

Copilot is powered by AI and may make mistakes. Always verify output.
docs/index.html

};

iframe.src = splitHash[ 0 ] + '.html' + splitHash[ 1 ];

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium documentation

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 10 months ago

To fix the problem, we need to validate the user input before using it to construct the URL for the iframe. One way to do this is to maintain a list of authorized page names and only allow redirection to those pages. This ensures that the redirection is limited to known, safe URLs.

We will:

  1. Create a list of authorized page names.
  2. Check if the splitHash[0] value is in the list of authorized page names before constructing the URL.
  3. If the value is not authorized, we will not perform the redirection.
Suggested changeset 1
docs/index.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/docs/index.html b/docs/index.html
--- a/docs/index.html
+++ b/docs/index.html
@@ -517,2 +517,5 @@
 
+			// List of authorized page names
+			const authorizedPages = ['Geometry', 'Material', 'Texture', 'Light', 'Camera'];
+
 			// Creating a new Iframe instead of assigning a new src is
@@ -531,3 +534,3 @@
 
-			if ( hash && titles[ splitHash[ 0 ] ] ) {
+			if ( hash && titles[ splitHash[ 0 ] ] && authorizedPages.includes(splitHash[ 0 ]) ) {
 
EOF
@@ -517,2 +517,5 @@

// List of authorized page names
const authorizedPages = ['Geometry', 'Material', 'Texture', 'Light', 'Camera'];

// Creating a new Iframe instead of assigning a new src is
@@ -531,3 +534,3 @@

if ( hash && titles[ splitHash[ 0 ] ] ) {
if ( hash && titles[ splitHash[ 0 ] ] && authorizedPages.includes(splitHash[ 0 ]) ) {

Copilot is powered by AI and may make mistakes. Always verify output.
docs/index.html

};

iframe.src = splitHash[ 0 ] + '.html' + splitHash[ 1 ];

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High documentation

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI 10 months ago

To fix the problem, we need to sanitize the user-provided input from window.location.hash before using it to construct the iframe.src URL. This can be done by encoding the input to ensure that any potentially malicious characters are neutralized. We can use the encodeURIComponent function to encode the parts of the URL.

  • Modify the createNewIframe function to sanitize the splitHash values before using them.
  • Specifically, apply encodeURIComponent to splitHash[0] and splitHash[1] before concatenating them to form the iframe.src URL.
Suggested changeset 1
docs/index.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/docs/index.html b/docs/index.html
--- a/docs/index.html
+++ b/docs/index.html
@@ -539,3 +539,3 @@
 
-				iframe.src = splitHash[ 0 ] + '.html' + splitHash[ 1 ];
+				iframe.src = encodeURIComponent(splitHash[ 0 ]) + '.html' + encodeURIComponent(splitHash[ 1 ]);
 				subtitle = titles[ splitHash[ 0 ] ] + splitHash[ 1 ] + ' – ';
EOF
@@ -539,3 +539,3 @@

iframe.src = splitHash[ 0 ] + '.html' + splitHash[ 1 ];
iframe.src = encodeURIComponent(splitHash[ 0 ]) + '.html' + encodeURIComponent(splitHash[ 1 ]);
subtitle = titles[ splitHash[ 0 ] ] + splitHash[ 1 ] + ' – ';
Copilot is powered by AI and may make mistakes. Always verify output.
@DefinitelyMaybe DefinitelyMaybe mentioned this pull request Apr 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mugen87